Beta exploit pack: one more piece of crimeware for the infection road!

2015-06-18

Aditya K.Sood

Michigan State University, USA

RohitBansal

Independent Security Researcher, USA

Editor: MartijnGrooten

Abstract

Beta BEP appears to be the latest exploit kit in development. After finding their way into a Beta BEP C&C panel, Aditya Sood and Rohit Bansal were able to gather intelligence about the structure and working of the exploit pack. Here they share their findings about the pack - which they believe we will start to see being used in the coming months.

Browser exploit packs (BEPs) or exploit kits are used extensively in drive-by download attacks to infect target systems on the Internet. BEPs are used to distribute advanced malware to end user systems after exploiting vulnerabilities in browsers’ components or embedded plug-ins. BEPs are hosted on compromised domains and victims are coerced into visiting those domains either through spear phishing or through URLs shared on social networks and so on. On visiting a compromised domain, the victim’s browser is fingerprinted and if a vulnerable component is found, the respective exploit is served and malware is downloaded onto the system. In previous papers, we have presented details of the BlackHole [1], Sweet Orange [2] and Styx [3] BEPs to highlight their design and tactics. Several of the techniques used by Beta Browser Exploit Pack (Beta BEP) are very similar to those used by these exploit packs.

Beta BEP (which is unrelated to the Beta bot) is the latest exploit kit in development. At BlackHat USA 2014 [4], we discussed several fundamental weaknesses in the command and control (C&C) panels used by various pieces of crimeware. The idea of that research was to look for potential issues in web-based C&C panels and to reveal how to find security flaws in them in order to gather intelligence. It came as no surprise that we were able to find our way into a Beta BEP C&C panel and gather some intelligence about the structure and working of the Beta exploit pack. The author of the exploit pack did revoke and take down the panel shortly after we had found our way in, but not before we had extracted some meaty details from it.

We have been studying this exploit pack and gathering data for several weeks now – publishing delays are an unavoidable part of the process of releasing intelligence. Meanwhile, we discovered that another researcher had released an analysis of a very similar exploit kit under the name of ‘Sundown EK’ [5]. In his analysis, the researcher covered details of the network traffic and how the infection is triggered. He reported certain things that are very similar to what we found in our analysis of Beta BEP, as well as some that are slightly different:

The BEP under discussion in this article is sold in the underground market under the name of ‘Beta’; the one analysed in [5] has been given the name ‘Sundown’ by the researcher who discovered it. The analysis of Sundown covers the BEP’s initial testing URLs, which is why the exploits used and URL structure are similar in nature to those we see in Beta.

In [5], the version of Sundown analysed is ‘0.1a’, whereas we analysed version 3.0 of Beta BEP. The author of the exploit kit actually claims Beta as copyleft (a method of making software free so that it can be modified and extended by other developers, thereby maintaining the ‘free software’ clause). We are not sure that copyleft makes any sense in the context of software that is sold in the underground market, and if source code is shared it will be modified accordingly.

The Sundown exploit kit is still under development and it appears that the author is testing it for effectiveness. We have not encountered any real-time cases of Beta BEP version ‘3.0’ being used in the wild, but since it is also in a testing phase, we believe that it will be running live somewhere privately. We tried to access the configured URLs we found in the C&C but all of the domains had been taken down and no active infection URLs were detected.

The rental price of Beta BEP is between $2,000 per month and $100 per day.

As a research community, it’s always good practice to collaborate and share intelligence so that we can tackle issues in a more granular way.

C&C panel

Primarily, the Beta BEP consists of the following components:

A component for collecting statistics on successful infections.

A component that will upload a malicious executable and check whether it can bypass anti-virus en-gines.

A component that is used to configure domains for serving exploits and which checks the domains for potential detection or flagging by anti-virus engines.

Listing 1 shows the basic structure of the Beta BEP that was configured on the C&C server.

Target domain scanning

Beta BEP has a built-in functionality for determining the effectiveness of the domain that is used to deploy the exploit or executable which is served to the victim’s machine during an attack. When a vulnerability is found and an exploit successfully executed, the infected domain is queried in order to download the malicious executable. Beta BEP uses Scan4You [6], which is a freely available service that will check the robustness of a target domain (hosting exploits or malicious executables) against various anti-virus engines to verify its rate of detection. The idea is to check up front whether or not the configured exploit URL can be detected as malicious. Avoiding exposure to detection solutions is important in order for the malware to be served in a stealthy manner. If the target domain is found to be included on blacklists or flagged as malicious, a new one can easily be configured by the Beta BEP controller in order to continue the infection spreading mechanism. Figure 1 and Figure 2 show how Beta BEP scans the target URLs and domains to verify their detection rate by various security vendors.

Part of the URL uses an encoding scheme, but we are not sure what type of encoding is used. Incorporating obfuscated strings into URLs is a technique commonly used by BEPs in order to bypass certain detection solutions. Figure 3 shows one of the configured domains being tested for maliciousness using the Scan4You service.

Figure 3. Scan4You service in action.

Malicious executable scanning

Beta BEP allows only one file at a time to be uploaded to the C&C, which then gets compressed and embedded in the required exploit. At this point, it seems that multiple malware files are not supported: if the malicious executable needs to be replaced, the previous executable (or binary) file must be deleted and cleaned in order to provide a clean environment for the new executable to be incorporated into the exploits. Like the exploit-serving URLs, the uploaded malware executable is scanned to check its rate of detection by anti-virus engines. Figure 4 shows the file uploading and scanning functionality of Beta BEP.

Figure 4. File uploading and scanning capability in Beta BEP.

Exploits for specific vulnerabilities

Table 1 shows the exploits that are supported by Beta BEP as part of its design. There is the possibility for more exploits to be added and/or existing exploits removed later on. As can be seen from the CVEs, Flash exploits are preferred. This is because of the recent rise in the number of remote code execution vulnerabilities in Flash.

S. No.

CVEs

Description

1

CVE-2015-0311

Unspecified vulnerability in Adobe Flash Player through 13.0.0.262 and 14.x, 15.x, and 16.x through 16.0.0.287 on Windows and OS X and through 11.2.202.438 on Linux allows remote attackers to execute arbitrary code via unknown vectors.

2

CVE-2015-0359

Double free vulnerability in Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code via unspecified vectors.

3

CVE-2015-0313

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows and OS X and before 11.2.202.442 on Linux allows remote attackers to exe-cute arbitrary code via unspecified vectors.

4

CVE-2014-0556

Heap-based buffer overflow in Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allows attackers to execute arbitrary code via unspecified vectors.

Infection statistics

We know that most crimeware service providers rent out BEPs to collect money based on successful pay-per infections (PPI). However, BEPs can also be sold directly for a lump sum. We found that Beta BEP collects the following statistics:

Information about compromised browsers

Details of the countries in which successful infections have triggered, which means that geo-location tagging is enabled in Beta BEP

Conclusion

As we have discussed, Beta BEP is not as active in the real market as, for example, Fiesta or Angler, but we believe that we will start to see it being used in the coming months. We were not able to collect enough data to dissect the network-level details of the BEP and understand how exactly the exploits are served, but we believe that revealing as much information as we know about Beta BEP will benefit the security research community, making researchers aware of the upcoming threat so that appropriate defences can be designed and put in place to combat it.

Latest articles:

The number of incidents attributed to the Lazarus Group, a.k.a. Hidden Cobra, has grown rapidly since its estimated establishment in 2009. In this paper, ESET researchers Peter Kalnai and Michal Poslusny look at various cells within the group, that…

As the world grapples with massive disinformation campaigns waged by the intelligence agencies of hostile nations, we should not forget that such activities are not limited to the purview of the Bears or Pandas of the world, and that even relatively…

In an average five-year-old car, there are about 30 different computers on board. In an average new car, there are double that number, and in some cases up to 100. That’s the size of network an average SMB would have, only there’s no CIO/CISO, and…

Malicious Android applications are quite common, and can even be found from time to time in the Google Play Store. Thus, a lot of work has been done in both industry and academia on Android app analysis, and in particular, static code analysis. One…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.